Medibank cyber attack prompts increased APRA supervision

APRA has intensified supervision of regulated entities for compliance with the Information Security Standard CPS 234 to combat cyber threats following the recent Medibank cyber attack.

Concern for the security of information assets following the recent cyber incident at Medibank has prompted the Australian Prudential Regulation Authority (APRA) to step up its supervision of APRA-regulated entities for compliance with the Information Security Standard CPS 234.

Medibank confirmed that criminals claim to have stolen 200GB of data including names, dates of birth, Medicare numbers and claims data with codes relating to diagnosis and procedures. APRA’s UpGuard team reported in 2022 that the majority of data breaches ‘are the result of poorly secured software development practices’.

Fundamental questions for Boards of regulated entities include:

Do you know what data you are holding?

Do you know where it is?

How do you know it is safe?

And do you need to retain it?

APRA compliance recommendations

APRA recommends that regulated entities should undertake systemic testing and assurance at least annually to evaluate the effectiveness of their controls, including those managed by related parties and third parties.

To ensure that regulated entities are taking appropriate measures to protect their information assets, APRA has outlined specific steps that should be taken to comply with CPS 234. This includes:

• clearly defining information security-related roles and responsibilities
• maintaining an information security capability commensurate with the size and extent of threats
• implementing controls to protect information assets, and
• having mechanisms in place to detect, escalate and respond to information security incidents.

In the event of a material information security incident, entities are required to notify APRA no later than 72 hours.

How SW can help

As an increasing number of major cyber attacks become known, the importance of your information security systems and processes are paramount to ensure sensitive information assets are protected appropriately.

Our experienced experts have undertaken annual audits of these systems and processes across information security, compliance, risk management, and internal audit services. Working closely with clients to understand their business, security needs and particular risks, we conduct a full review with clear recommendations to ensure proactive steps are in place to protect the business and its assets.

We recommend best practice plans for CPS 234 and guide clients to implement information security assessments to ensure your cyber resilience.

Our support can include:

• A gap analysis of current practices against CPS 234
• Review of information security practices and third-party security assessments
• Independent security controls testing

Reach out to Laura Toscano or your Key Contacts here for an obligation-free discussion to find out how we can assist with your testing and assurance program.

Contributors

Laura Toscano